« Draft Cybersecurity Executive Order Leaks | Main | Cybersecurity and Attribution -- Good News At Last? »

Sep 18, 2012


While collected data on attackers has increased, it remains narrowly focused on the TTPs of low-medium level hacker crews. We don't have an equivalent level of data about acts of cyber espionage from foreign intelligence services or their agents via multiple channels that are ignored by gov't and private sector security firms (i.e., in-country ICT infrastructure, vendors, insiders, social engineering). Therefore, since we can't know sufficient data about who will attack, when, or how, companies and gov't need to treat their critical data differently and completely reject the concept that we can keep an adversary out of our network. What we can do, however, is keep critical data from leaving. Therefore, improved defensive strategies must remain part of any future cyber security framework and offensive actions must only be initiated when attribution passes certain analytic tests applied not by DHS, DOD or the private sector but by trained analysts in the IC where more rigorous analysis is conducted.

Stewart, I like the deputizing method for cyber attacks.
Create a market based solution for the problem, post a 'scalp' price w/ associated documentation (with in a public or closed private forum)

Jeffrey: this won't work at scale: "when attribution passes certain analytic tests applied not by DHS, DOD or the private sector but by trained analysts in the IC where more rigorous analysis is conducted."
there just simply isn't enough trained manpower or funds

++ companies need to take more control over their infrastructure by seeing the source code in their systems versus just assuming its secure because a company said so

Jeffreycarr is right that we still lack a lot of data about our attackers. But our insight into attacker TTPs has opened up intelligence-gathering possibilities that could lead to the data we now lack. And it's true that we can't keep attackers out so we need to find new ways to protect crucial data. I don't see a contradiction in pursuing both priorities.

I'm not sure I'd draft the IC to decide when offensive action is warranted, for the reason John Scott gives. But the IC should certainly be part of the process of developing standards for what private sector investigators should be allowed to do under what circumstances.

Hi Stewart, private investigators aren't trained intel analysts, meaning that they don't know how to vet source material using analytic models nor do they apply negative analysis before making a pronouncement about attribution. So technically, no true analysis is being done by private investigators.

And, with respect, I've been intimately involved with incident response w/ breaches impacting Fortune 100 companies and can tell you with certainty that TTPs will not lead to "the data that we now lack". For one thing, researchers see what they are mean't to see by the attacker. For another, the only groups that have been identified are aliases for 20 or so hacker crews. We have yet to concretely pin an attack on an FIS or nation state unless that state has overtly claimed responsibility for it.

Advocating for offensive actions by private companies is like putting weapons of mass destruction in the hands of children. Poor intelligence analysis leading to failures happens by trained analysts on a regular basis. In at least one case, it led us into a Trillion-dollar war. Can you imagine the potential for wide-spread disruption if companies who think they know who attacked them strike back at the wrong nation state? That's a gamble that we don't need to take when a better defensive strategy will render most attacks impotent.


I think you're wrong on many levels. Here are three.

1. I've worked with plenty of contractors who focus on cyber, and some of them are as good or better than the "trained intel analysts" who do it inside government. Some of them probably were "trained intel analysts" before going to a contractor, and some of them probably have probably continued to do such analysis on contract to the government. There is no magic priesthood in government that Knows More Than The Rest of Us on this topic.

2. TTPs by themselves aren't all that we need. If they were, we wouldn't need to pursue attribution. But they demonstrate that pursuing attribution is not a fool's errand. We now know much more about the bad guys than we did five years ago. That strongly suggests that, with effort, we'll know much more five years from now. But we need to put resources into that effort, more resources and more imagination than the government can muster today.

3. And, with respect, your "WMD in the hands of children" line tells me that you want to argue with a straw man. This is a pretty common approach among CCIPS alumni; they have difficulty imagining any counterhack that doesn't involve frying adversary computers, followed closely by the deaths of patients in the intensive care unit that the computers support, or some equally outlandish hypothetical.

Where in my piece do you see a suggestion that private sector investigators should have authority to "strike back at nation states"? I'm talking about authorizing activities like conducting on line investigations, evidence gathering, identifying the companies that are actually benefiting from the hacks so they can be sued, and depriving them of the benefits of what they've stolen. It's not hard distinguish between those activities and an ICU-melting "strike". Yet defenders of the old CCIPS conventional wisdom can't seem to talk about this problem for five minutes without invoking visions of vigilante hackers engaged in random meltdowns of half-identified computers. Frankly, invoking that vision is the cyber equivalent of invoking Hitler in an online debate -- simply proof that you've already lost.

You do propose that offensive capabilities be given to the private sector. You may not intend for those capabilities to be used in the extreme but you believe that some latitude is possible, correct? My position is that I have yet to see any evidence that InfoSec companies can determine attribution that's any better than 50/50 guesswork. In my opinion, that's not good enough to give them any latitude in attacking someone else's computer.

We probably too far apart in our respective positions to come to an agreement via a blog post but thanks for providing a forum for engagement and discussion.

There you go again. "Offensive capabilities" is a vague and sinister category that could include everything from breaking into networks and destroying hard drives to letting bad guys steal files that will phone home when they're opened by the thief. Why in the world would we fail to distinguish between destroying computers and exploiting them for evidence? The discourse on this question should also distinguish between the two -- unless one is trying to confuse the debate.

If I understand your position, it can be summarized as follows: The private sector can't do conclusive attribution today. So we should never allow them to engage in hacking for the purpose of conclusive attribution.

I don't buy it. But I will buy you a beer some day for a longer conversation.

I'd be honored to accept. Thanks, Stewart!

The comments to this entry are closed.